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IN THE CLAIMS: 



NO. 0536 P. 5 



Amended claims follow: 

1 . (currently amended) A computer program product for controlling a computer to 
detect an executable computer program containing a computer virus, said computer 
program product comprising: 

analysis logic for analyzing program instructions forming said executable 
computer program to identify suspect program instructions being at least one of: 

(i) a program instruction generating a result value not used by another portion of 
said executable computer program; and 

(ii) a program instruction dependent upon an uninitialised variable; and 
detecting logic for detecting said executable computer program as containing a 

computer virus if a number of suspect program instructions identified for Said executable 
computer program exceeds a threshold level, wherein said analysis logic includes a 
dependence table indicating dependency between state variables within said computer 
and loaded variable values, and for each program instruction said analysis logic makes a 
determination as to which state variables are read and written by that program instruction 
and for each loaded variable value within said dependence table if any state variable read 
by that program instruction is marked as dependent upon said loaded variable value, then 
all state variables written by that program instruction are marked as dependent upon said 
loaded variable value with previous dependencies being cleared, and said analysis logic 
parses said executable computer program for suspect program instructions by following 
execution flow and upon occurrence of a branch first following a first branch path having 



PAIS 5128 * RCVD AT 1W13120M 5:03:26 PM [Eastern DayDgfit 



OCT. 1 3. 2005 2:i4PM ' ZILKA-KOTAB. PC NO. 0536 P. 6 

-3- 

saved pending analysis results and subsequently returning to follow a second branch path 
having restored said pending analysis results; 

wherein a state variable is marked as initialised upon occurrence of one of: 

(i) a write to said state variable of a determined initialised value: and 

fii'^ use of said state variable as a memory address value bv a pr opra"^ instruction: 
wherein a branch path stops being followed when on e of the followitig occurs: 
(\) there are no further sxiitablc program instruction for executio n within that 
branch path: and 

(ii) said branch path rcioins a previously par sed execution path. 

2. (original) A computer program product as claimed in claim 1, wherein said 
computer virus is a polymorphic computer virus. 

3. (cancelled) 

4. (previously presented) A computer program product as claimed in claim 1, 
wherein for each program instruction said analysis logic makes a determination as to 
which state variables are read by that program instruction. 

5. (previously presented) A computer program product as claimed in clahn 1 , 
wherein for each program instruction said analysis logic makes a determination as to 
which state variables are written by that program instruction. 
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6. (cancelled) 

7. (previously presented) A computer program product as claimed in claim 1, 
wherein said state variables include at least one of: 

(i) register values; 

(ii) processing result flag values; and 

(iii) a flag indicative of a write to a non-register storage location. 

8. (previously presented) A computer program product as claimed in claim 1> 
wherein said analysis logic includes an initialisation table indicating which state variables 
have been initialised. 

9. (cancelled) 

10. (cancelled) 

1 1 . (cancelled) 

12. (previously presented) A computer program product as claimed in claim 1, 
wherein if said threshold level is exceeded, then further virus detection mechanisms are 
triggered to confirm the presence of a computer virus. 
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13. (currently amended) A method of detecting an executable computer program 
containing a computer virus, said method comprising the steps of: 

analysing program instructions forming said executable computer program to 
identify suspect program instmctions being at least one of: 

(i) a program instruction generating a result value not used by another 
portion of said executable computer program; and 

(ii) a program instruction dependent i^n an uninitialised variable; 
detecting said executable computer program as containing a computer virus if a 

number of suspect program instructions identified for said executable computer program 
exceeds a threshold level; 

maintaining a dependence table indicating dependency between state variables 
within said computer and loaded variable values, wherein for each program instruction a 
determination is made as to which state variables are read and written by that program 
instruction and, for each loaded variable value within said dependence table, if any state 
variable read by that program instruction is marked as dependent upon said loaded 
variable value, then all state variables written by that program instruction are marked as 
dependent upon said loaded variable value with previous dependencies being cleared; and 

parsing said executable computer program for suspect program instructions by 
following execution flow and upon occurrence of a branch first following a first branch 
path having saved pending analysis results and subsequently returning to follow a second 
branch path having restored said pending analysis results; 

wherein a state variable is marked as initialised upon occurrence of one of: 

(i) a write to^said state variable of a determined initialised value: and 
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(ii) use of said state variable as a memory address value bv a program instructioD: 
wherein a branch path stops being followed when one of the following occurs: 

(i) there are no further suitable program instruction for execution w ithin that 
branch path: and 

(ii) said branch path rejoins a previously parsed execution path . 

14. (original) A method as claimed in claim 13, wherein said computer virus is a 
polymorphic computer virus. 

15. (cancelled) 

16. (original) A method as claimed in claim 13, wherein for each program 
instruction a determination is made as to which state variables are read by that program 
instruction. 

17. (original) A method as claimed in claim 13, wherein for each program 
instruction a determination is made as to which state variables are written by that 
program instruction. 

18. (cancelled) 

19. (previously presented) A method as claimed in claim 13, wherein said state 
variables include at least one of: 
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(i) register values; 

(ii) processing result flag values; and 

Qii) a flag indicative of a write to a non-register storage location. 

20. (previously presented) A method as claimed in claim 13, including the step of 
maintaining an initialisation table indicating which state variables have been initialised, 

21. (cancelled) 

22. (cancelled) 

23. (cancelled) 

24. (previoxjsly presented) A method as claimed in claim 13, wherein if said 
threshold level is exceeded, then further virus detection mechanisms are triggered to 
confirm the presence of a computer virus. 

25- (currently amended) Apparatus for detecting an executable computer program 
containing a computer virus, said apparatus comprising; 

an analyser for analysing program instructions forming said executable computer 
program to identify suspect program instructions being at least one of; 

(i) a program instruction generating a result value not used by another portion of 
said executable computer program; and 
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(ii) a program instruction dependent upon an uninitialised variable; and 
a detector operable to detect said executable computer program as containing a 
computer virus if a number of suspect program instructions identified for said executable 
computer program exceeds a threshold level, wherein said analyser includes a 
dependence table indicatiag dependency between state variables within said computer 
and loaded variable values, wherein for each program instruction said analyser makes a 
determination as to which state variables are read and written by that program instruction 
and for each loaded variable value within said dependence table if any state variable read 
by that program instruction is marked as dependent upon said loaded variable value, then 
all state variables written by that program instruction are marked as dependent upon said 
loaded variable value with previous dependencies being cleared, and said analyser parses 
said executable computer program for suspect program instructions by following 
execution flow and upon occurrence of a branch first following a first branch path having 
saved pending analysis results and subsequently returning to follow a second branch path 
having restored said pending analysis results; 

wherein a state variable is marked as initialised upon occurrence of one of: 
(i) a write to said state variable of a determined initialised value: and 
mi use of said state variable as a memqrv address value by a program instruction: 
wherein a branch path stops being followed when one of the follovying occursj 

(i) there are no fart her suitable program instruction for execution within that 
branch path: and 

(ii) said branch pa th rejoins a previously parsed execution path . 
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26. (original) Apparatus as claimed in claim 25, wherein said computer virus is a 
polymorphic computer virus. 

27. (cancelled) 

28. (previously presented) Apparatus as claimed in claim 25, wherein for each 
program instruction said analyser makes a determination as to which state variables are 
read by that program instruction. 

29. (previously presented) Apparatus as claimed in claim 25, wherein for each 
program instmction said analyser makes a determination as to which state variables are 
written by that program instruction. 

30. (cancelled) 

31. (previously presented) Apparatus as claimed in claim 25, wherein said state 
variables include at least one of: 

(i) register values; 

(ii) processing result flag values; and 

(iii) a flag indicative of a write to a non-register storage location. 
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32. (previously presented) Apparatus as claimed in claim 25, wherein said 
analyser includes an initialisation table indicating which state variables have been 
initialised. 

33. (cancelled) 

34. (cancelled) 

35. (cancelled) 

36. (previously presented) Apparatus as claimed in claim 25, wherein if said 
threshold level is exceeded, then further virus detection mechanisms are triggered to 
confirm the presence of a computer virus, 



PAGE RCVD AT 1(»13f200S 5:03:26 PM [Eastern OayOght nme]' SVR:USPTO{FXIff-6/33' DNI8:2738300' CS[D:4^^^^ 



